Clients SHOULD NOT include a
Referer
header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol.” https://www.rfc-editor.org/rfc/rfc2616#section-15.1.3
According to the standard, https://google.com shouldn't send the Referer
header to non-secure sites, but it does. Do other HTTPS sites send the Referer
header to HTTP sites?
All these tests are done using Chrome v33.0.1750.117
To run the test I go to the first page, then open the console and manually do a redirect, using location = "http://reddit.com"
:
https://google.com -> http://www.reddit.com
Referer
header is kept
https://startpage.com/ -> http://www.reddit.com Referer
header is stripped
https://bankofamerica.com -> http://reddit.com Referer
header is stripped
https://facebook.com -> http://reddit.com Referer
header is stripped
Is Google doing something special to keep the Referer
header? Is there a list of HTTPS sites that keep the Referer
header? Are there any other cases where the Referer
header is removed?
cnst answers this correctly above; it's content="origin". That forces browsers going HTTPS->HTTPS and HTTPS->HTTP to have the request header:
http-referer=https://www.google.com
This functionality allows sites to get credit for traffic without leaking URL parameters to a third party. It's awesome, as it's so much less hacky than what people have used here in the past.
There are currently three competing specs for this. I don't know which one is authoritative, and suspect it's a mix. They're similar, on most points.
Here's available support, that I know of; would love for people to let me know if I'm wrong or missing anything.
Now:
Unknown version:
Upcoming real soon now:
When you do a Google Search with Google Chrome, the following tag appears in the search results:
<meta content="origin" id="mref" name="referrer">
The origin
value means that instead of completely omitting the Referer
when going to http
from https
, the origin domain name should be provided, but not the exact page within the site (e.g. search strings will remain private).
On the other hand, link aggregators like lobsters have the following, which ensures that the whole URL will always
be provided in the Referer
(by browsers like Chrome and Safari), since link stories are public anyways:
<meta name="referrer" content="always" />
As of mid-2014, this meta[@name="referrer"]
is just a proposed functionality for HTML5, and it doesn't appear to have been implemented in Gecko, for example -- only Chrome and Safari are claimed to support it.
http://smerity.com/articles/2013/where_did_all_the_http_referrers_go.html
https://bugzilla.mozilla.org/show_bug.cgi?id=704320
http://wiki.whatwg.org/wiki/Meta_referrer
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With